Well....<div> </div><div>I think I can now answer my own question.</div><div> </div><div>The following is from: <a href="http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis">http://fedoraproject.org/wiki/QA:Testcase_freeipav2_nis</a></div> <div> </div><div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div>Password Hashes</div><div>You may notice that password hashes are not available, even when you attempt to retrieve entries as root. As this is the default behavior, a prospective client system would need to also be configured to use either Kerberos or LDAP to check user passwords.</div> </div><div> </div></blockquote>I'm sorry for the spam.. :-)... And also, my inconsistent hosts and IP's below are the result of a failed obfuscation, rather than actual inconsistencies in my config.</div><div> </div><div>Cheers and thanks for FreeIPA!</div><div> </div><div>-Joshua</div><div> </div><div>P.S. I guess I'll go some other route to authenticate these ancient Ubuntu 9.04 boxes to IPA. lol</div><div> </div> <div> <div class="gmail_quote">On Thu, Mar 8, 2012 at 7:29 PM, <<a href="mailto:freeipa-devel-request@redhat.com">freeipa-devel-request@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Send Freeipa-devel mailing list submissions to <a href="mailto:freeipa-devel@redhat.com">freeipa-devel@redhat.com</a> To subscribe or unsubscribe via the World Wide Web, visit <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> or, via email, send a message with subject or body 'help' to <a href="mailto:freeipa-devel-request@redhat.com">freeipa-devel-request@redhat.com</a> You can reach the person managing the list at <a href="mailto:freeipa-devel-owner@redhat.com">freeipa-devel-owner@redhat.com</a> When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-devel digest..." Today's Topics: 1. IPAv2 on SL6.2 using NIS fails with "Failed password" error (Joshua Dotson) ---------------------------------------------------------------------- Message: 1 Date: Thu, 8 Mar 2012 19:29:10 -0500 From: Joshua Dotson <<a href="mailto:josh@knoesis.org">josh@knoesis.org</a>> To: <a href="mailto:freeipa-devel@redhat.com">freeipa-devel@redhat.com</a> Subject: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with "Failed password" error Message-ID: <<a href="mailto:CANLzmLhi99Zk986F4Mh0pcYkrRhx3wgdK7CrW%2B34Q3EofBmnPg@mail.gmail.com">CANLzmLhi99Zk986F4Mh0pcYkrRhx3wgdK7CrW+34Q3EofBmnPg@mail.gmail.com</a>> Content-Type: text/plain; charset="iso-8859-1" Hi All, I'm having a problem with my IPA installs; I can't seem to get the NIS mode to work. I tried it with and without 'Migration Mode' enabled. I bind to it and 'getent passwd' and 'getent group' just fine, but when I type my password (post initial kinit password change) in for ssh, I get permission denied and the following in my client-side /var/log/secure log: Mar 8 18:15:07 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:15:22 bastion sshd[18480]: Failed password for bob from 192.168.5.68 port 50788 ssh2 Mar 8 18:46:13 bastion sshd[18556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.6.68 user=bob Mar 8 18:46:16 bastion sshd[18556]: Failed password for bob from 192.168.5.68 port 50839 ssh2 On the server, I can find no error on the server side, matching the timestamp of when I attempt login from a third host to the bastion host (see below). Am I mistaken that IPAv2 provides backwards compatible NIS, without client-side SSSD, KRB5 and the like? Am I missing a service or something? Thanks very much! Please excuse the long email. Perhaps I'm too eager. lol :-) -Joshua. ========BACKGROUND INFO FOLLOWS========= Here are the details of my install, which is my fourth IPA install, so far. As a side note, however, I've not been able to get the NIS mode working, yet. - 2 nearly identical KVM's to test this. (1 for server and 1 for NIS client) - x86_64 - ext4 over LVM over qcow2 over NFSv3 - using virtio - Scientific Linux 6.2 minimal install from GUI of Install DVD - all available yum updates applied - iptables off - ipv4 only - added self FQDN to both /etc/hosts files - NetworkManager off in favor of network - static public IP's - Used the following commands to install my IPA server: # yum -y install \ ipa-server \ bind \ bind-dyndb-ldap # ipa-server-install \ -a 'admin_pass_example' \ --hostname=<a href="http://ipa.example.com" target="_blank">ipa.example.com</a> \ -p 'dir_man_password_example' \ -n <a href="http://exampledom.com" target="_blank">exampledom.com</a> \ -r <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> \ --setup-dns \ --forwarder=192.168.2.10 \ --forwarder=192.168.1.20 - After a reboot, logging in with Firefox works well... kinit works well after I create an initial user in the UI... Everything is cool..even enrolling other machine with the ipa-client-install tool works well.. No other changes were made inside the UI - Here are the commands I ran on the server outside the UI, per instructions (here: <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html" target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/migrating-from-nis.html</a> ) [root@ipa ~]# ipa-compat-manage enable Directory Manager password: Plugin already Enabled [root@ipa ~]# rpcinfo program version netid address service owner 100000 4 tcp6 ::.0.111 portmapper superuser 100000 3 tcp6 ::.0.111 portmapper superuser 100000 4 udp6 ::.0.111 portmapper superuser 100000 3 udp6 ::.0.111 portmapper superuser 100000 4 tcp 0.0.0.0.0.111 portmapper superuser 100000 3 tcp 0.0.0.0.0.111 portmapper superuser 100000 2 tcp 0.0.0.0.0.111 portmapper superuser 100000 4 udp 0.0.0.0.0.111 portmapper superuser 100000 3 udp 0.0.0.0.0.111 portmapper superuser 100000 2 udp 0.0.0.0.0.111 portmapper superuser 100000 4 local /var/run/rpcbind.sock portmapper superuser 100000 3 local /var/run/rpcbind.sock portmapper superuser [root@ipa ~]# ipa-nis-manage enable Directory Manager password: Enabling plugin Restarting IPA to initialize updates before performing deletes: [1/2]: stopping directory server [2/2]: starting directory server done configuring dirsrv. This setting will not take effect until you restart Directory Server. The rpcbind service may need to be started. [root@ipa ~]# reboot The system is going down for reboot NOW! sam@bastion:~$ ssh 192.168.5.25 Last login: Thu Mar 8 17:58:58 2012 from 192.168.5.99 [sam@ipa ~]$ su - Password: [root@ipa ~]# rpcinfo program version netid address service owner 100000 4 tcp6 ::.0.111 portmapper superuser 100000 3 tcp6 ::.0.111 portmapper superuser 100000 4 udp6 ::.0.111 portmapper superuser 100000 3 udp6 ::.0.111 portmapper superuser 100000 4 tcp 0.0.0.0.0.111 portmapper superuser 100000 3 tcp 0.0.0.0.0.111 portmapper superuser 100000 2 tcp 0.0.0.0.0.111 portmapper superuser 100000 4 udp 0.0.0.0.0.111 portmapper superuser 100000 3 udp 0.0.0.0.0.111 portmapper superuser 100000 2 udp 0.0.0.0.0.111 portmapper superuser 100000 4 local /var/run/rpcbind.sock portmapper superuser 100000 3 local /var/run/rpcbind.sock portmapper superuser 100004 2 udp6 ::.2.84 ypserv superuser 100004 2 udp 0.0.0.0.2.84 ypserv superuser 100004 2 tcp6 ::.2.84 ypserv superuser 100004 2 tcp 0.0.0.0.2.84 ypserv superuser [root@ipa ~]# - Here is chkconfig for the server (iptables/ip6tables are disabled by the service command when debugging) chkconfig --list|grep ':on' atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipa 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off - On the client, it's the same OS... SL6.2 x86_64, no firewall, minimal install, ipv4 only - I used authconfig to setup NIS, and am able to 'getent passwd' on the directory. # authconfig --enablenis --nisdomain=<a href="http://knoesis.org" target="_blank">knoesis.org</a> --nisserver=192.168.5.82 --enablemkhomedir --update - resolv.conf points to the IPA address for dns - client is same domain on the same 24-bit subnet - here are the packages I installed for NIS: Mar 08 16:05:19 Installed: libgssglue-0.1-11.el6.x86_64 Mar 08 16:05:19 Installed: libtirpc-0.2.1-5.el6.x86_64 Mar 08 16:05:19 Installed: rpcbind-0.2.0-8.el6.x86_64 Mar 08 16:05:56 Installed: 3:ypbind-1.20.4-29.el6.x86_64 Mar 08 16:05:56 Installed: yp-tools-2.9-12.el6.x86_64 - Here is chkconfig on the client: chkconfig --list|grep ':on' (iptables/ip6tables are disabled by the service command when debugging) auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off - /etc/yp.conf (client) (I tried it with the server domain syntax, as well) ypserver 192.168.6.82 #domain <a href="http://example.com" target="_blank">example.com</a> server 192.168.6.82 - rpcinfo (client) program version netid address service owner 100000 4 tcp6 ::.0.111 portmapper superuser 100000 3 tcp6 ::.0.111 portmapper superuser 100000 4 udp6 ::.0.111 portmapper superuser 100000 3 udp6 ::.0.111 portmapper superuser 100000 4 tcp 0.0.0.0.0.111 portmapper superuser 100000 3 tcp 0.0.0.0.0.111 portmapper superuser 100000 2 tcp 0.0.0.0.0.111 portmapper superuser 100000 4 udp 0.0.0.0.0.111 portmapper superuser 100000 3 udp 0.0.0.0.0.111 portmapper superuser 100000 2 udp 0.0.0.0.0.111 portmapper superuser 100000 4 local /var/run/rpcbind.sock portmapper superuser 100000 3 local /var/run/rpcbind.sock portmapper superuser 100007 2 udp 0.0.0.0.3.46 ypbind superuser 100007 1 udp 0.0.0.0.3.46 ypbind superuser 100007 2 tcp 0.0.0.0.3.49 ypbind superuser 100007 1 tcp 0.0.0.0.3.49 ypbind superuser -- Joshua M. Dotson Systems Administrator Kno.e.sis Center Wright State University - Dayton, OH <a href="mailto:josh@knoesis.org">josh@knoesis.org</a> <a href="tel:937-350-1563" value="+19373501563">937-350-1563</a> -------------- next part -------------- An HTML attachment was scrubbed... URL: <<a href="https://www.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.html" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20120308/f63089e2/attachment.html</a>> ------------------------------ _______________________________________________ Freeipa-devel mailing list <a href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> End of Freeipa-devel Digest, Vol 58, Issue 32 ********************************************* </blockquote></div> <div> </div>-- Joshua M. Dotson Systems Administrator Kno.e.sis Center Wright State University - Dayton, OH <a href="mailto:josh@knoesis.org" target="_blank">josh@knoesis.org</a> 937-350-1563 </div>